ECZ-ID Supplier Evidence Review
Review local supplier and service-provider evidence before sharing it.
Free, local-first. No source upload. No sign-in to run a check.
- Surfaces supplier and service-provider evidence — locally, by filename and path.
- Builds a local, claim-free evidence summary you can review and share.
- Routes to Resolver lookup, implementation guidance and supported setup.
Useful for
Useful across many legitimate roles. Commonly used by:
- Platform and procurement teams
- Security and engineering reviewers
- Teams relying on external suppliers and APIs
- Anyone gathering local supplier or service-provider evidence
Relevant when before relying on a new supplier, service or repository, you are gathering local evidence, or you are locating public references for a supplier.
What you can do in under a minute
- Open or scan the workspace — run
ECZ-ID Supplier Evidence Review: Review / Scan Workspace.
- Review the evidence — observed and not-observed, in plain English.
- Open implementation guidance or continue supported setup where relevant.
What it looks for
- Supplier / service-provider reference evidence
- Organisation reference identifier (a registration or reference number you already hold)
- Domain / web-presence evidence
- Source repository evidence
- Software package / dependency evidence
- Public API surface evidence
Scope & limits
This extension organises local evidence only. It is not a financial, legal or compliance service. Specifically:
- It does not establish legal identity.
- It does not issue a score or verdict.
- It does not determine compliance.
- Your local policy decides what is sufficient — re-check before reliance.
Example use cases
- Before relying on a new supplier, service or repository.
- Locating public ECZ-ID / Resolver references for a supplier.
Example result
ECZ-ID Supplier Evidence Review - supplier evidence
- suppliers/acme/profile.md ...... present
- service-provider-evidence.md ... present
- public references .............. none found yet, review recommended
What results mean
Results describe observed evidence and public-proof posture — never a safety, approval, certification or compliance verdict:
evidence observed · evidence not observed · review recommended · no public proof reference found yet · re-check before reliance · your local policy decides.
There is no “pass/fail”. Local policy decides what is sufficient, and you should re-check before reliance.
Recommended next steps
- Show evidence — observed and not-observed, no verdict.
- Build evidence summary — a local, claim-free document you can review and save explicitly.
- Open implementation guidance — Developer Gateway.
- Open Resolver — read-only public proof lookup.
- Request Resolver Proof — for a public target (claim-free request).
- Begin supported setup — hand off to TrustOps (metadata only).
- Re-check later — re-run before you rely on a result.
Privacy & permissions
| Question |
Answer |
| Files read |
Filenames and paths during a normal scan |
| File contents read |
No — detection is filename/path only |
| Anything uploaded |
No source, prompts, secrets or tool payloads leave your device |
| Network destinations |
Only links you click, and an optional user-initiated public interface refresh |
| Telemetry |
None |
| Retention |
None |
| Workspace Trust |
Respected; scanning is gated by VS Code Workspace Trust |
See the bundled PRIVACY.md for the full notice.
Frequently asked questions
Is this extension free?
Yes. Every local check is free — you never need to sign in or pay to run one.
Does it upload my source code?
No. Detection is filename/path only; no source, prompts, secrets or tool payloads ever leave your device, and there is no telemetry.
Does a missing item mean something is wrong?
No. “Evidence not observed” is neutral — your local policy decides what is sufficient.
What does it do when the public interface service is unavailable?
It keeps working from a bundled fallback definition. A refresh is optional and user-initiated.
What it does not do
- No source / prompt / secret upload, and no telemetry.
- Provides local evidence review and guidance only - it does not issue ECZ-ID proof, activate services, grant access, or make approval, safety or compliance decisions.
- Makes no safety, approval, certification or compliance claim.
- Runs no checkout or payment — commercial actions happen only in TrustOps.
Install & first use
- In your editor's Extensions view, search for ECZ-ID Supplier Evidence Review (publisher EcoCitizenz) and install it.
- Open a project and trust the workspace.
- Run
ECZ-ID Supplier Evidence Review: Review / Scan Workspace and review the evidence.
Free vs supported setup
- Free, local-first: observed / not-observed supplier evidence, an evidence summary, and routes — no sign-in and no purchase to run a check.
- Supported setup (TrustOps): maintained ECZ-ID identity, public proof and lifecycle for supplier evidence — relevant when you need a resolver-verifiable result others can check, not just local review.
- You never need to buy anything to get local value; supported setup is a separate, optional step handled entirely in TrustOps.
Machine-readable facts
| Field |
Value |
| Product |
ECZ-ID Supplier Evidence Review |
| Identity |
ecocitizenz.eczid-counterparty-trust |
| Publisher |
EcoCitizenz |
| License |
Free; see the bundled LICENSE.txt |
| Version |
0.1.1 |
| Page family |
functional-extension |
| Purpose |
Review local supplier and service-provider evidence before sharing it. |
| Applicable audiences |
Platform and procurement teams; Security and engineering reviewers; Teams relying on external suppliers and APIs |
| Applicable scenarios |
before relying on a new supplier, service or repository; you are gathering local supplier evidence; you are locating public references for a supplier |
| Primary command |
ECZ-ID Supplier Evidence Review: Review / Scan Workspace |
| Inputs |
Supplier / service-provider references, organisation reference identifiers, domain / repository / package / API references |
| Outputs |
Observed / not-observed supplier evidence, an evidence summary, and routes |
| Data handling |
Filenames and paths only; no source / prompt / secret upload; no telemetry; retention none |
| Network behaviour |
Only links you open, plus an optional user-initiated public-interface refresh (GET, allowlisted ECZ-ID host) |
| Result states |
evidence observed; evidence not observed; no public proof reference found yet; review recommended; re-check before reliance; local policy decides |
| Limitations |
Does not issue proof, approve, certify, determine compliance, or run checkout |
| Canonical machine discovery |
https://machine.ecocitizenz.org/.well-known/ecz-machine.json |
| Public proof |
https://resolver.ecocitizenz.org |
| Documentation |
https://developers.ecocitizenz.com |
| Supported setup |
https://trustops.ecocitizenz.com/start |
| Re-check |
Re-run before reliance |
Links & support
ECZ-ID is independent trust infrastructure. Third-party names describe compatible ecosystems only and do not imply endorsement or affiliation. Local policy decides whether the evidence you review is sufficient.
